From d94b851ca2d207ae0ade612d1999d9b245f3314f Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Thu, 15 Sep 2022 11:55:15 -0400 Subject: [PATCH] Getting security exception due to access denied 'java.lang.RuntimePermission' 'accessDeclaredMembers' when trying to get snapshot with S3 IRSA (#4469) (#4522) Signed-off-by: Andriy Redko Signed-off-by: Andriy Redko Co-authored-by: Suraj Singh (cherry picked from commit 8366ea3fb4f0dbdc64b9dd2d566b27c5d88d7be3) Signed-off-by: Andriy Redko Signed-off-by: Andriy Redko Co-authored-by: Suraj Singh --- .../opensearch/repositories/s3/S3Service.java | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java b/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java index 18bb62944dede..930af6f8a9799 100644 --- a/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java +++ b/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java @@ -305,21 +305,28 @@ static AWSCredentialsProvider buildCredentials(Logger logger, S3ClientSettings c } if (irsaCredentials.getIdentityTokenFile() == null) { - return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>( - securityTokenService, + final STSAssumeRoleSessionCredentialsProvider.Builder stsCredentialsProviderBuilder = new STSAssumeRoleSessionCredentialsProvider.Builder(irsaCredentials.getRoleArn(), irsaCredentials.getRoleSessionName()) - .withStsClient(securityTokenService) - .build() + .withStsClient(securityTokenService); + + final STSAssumeRoleSessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged( + stsCredentialsProviderBuilder::build ); + + return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider); } else { - return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>( - securityTokenService, + final STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder stsCredentialsProviderBuilder = new STSAssumeRoleWithWebIdentitySessionCredentialsProvider.Builder( irsaCredentials.getRoleArn(), irsaCredentials.getRoleSessionName(), irsaCredentials.getIdentityTokenFile() - ).withStsClient(securityTokenService).build() + ).withStsClient(securityTokenService); + + final STSAssumeRoleWithWebIdentitySessionCredentialsProvider stsCredentialsProvider = SocketAccess.doPrivileged( + stsCredentialsProviderBuilder::build ); + + return new PrivilegedSTSAssumeRoleSessionCredentialsProvider<>(securityTokenService, stsCredentialsProvider); } } else if (basicCredentials != null) { logger.debug("Using basic key/secret credentials");